Importing site certificate into Java Runtime certificate store

When your Java program attempts to connect to a server that has an invalid or self signed certificate, such as an application server in a development environment, you may get the following exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To make your Java runtime environment trust the certificate, you need to import it into the JRE certificate store.

Step 1 - Get the certificate into your browser store

Browse to your application server using SSL. Your browser will tell you that the certificate isn't trusted and allow you to trust it, thereby placing it in the browser certificate store.

Step 2 - Export the certificate to a binary file

Your browser will have some kind of certificate manager that allows you to export or back up specific certificates to binary files. In Firefox that would be under Preferences / Advanced / Encryption / Servers. Find the certificate presented by the server and export it as a binary DER file.

Step 3 - Import the certificate into the Java Store

Make sure you have write access to your JRE and  use the keytool utility to import it:

keytool -import -alias alias -keystore path-to-jre/lib/security/cacerts -file path-to-certificate-file

Example:

keytool -import -alias sunas -keystore /opt/jdk1.6/jre/lib/security/cacerts -file /home/gugrim/tmp/sunas.der

You will be prompted for the keystore password, which is by default changeit.

Also, when you connect to the server make sure you use the same name as the one set as the Subject in the certificate. You may need to add it to your host file if the server isn't reachable using this name, which may be the case for a developer server.

That's it!

 

Comments

I would like to add that in windows the folder permissions of the path-to-jre/lib/security needs to have read/write permissions. Apparently just changing permissions of cacert file is not sufficient

Thanks for the helpful information - was stuck on where to place the trusted certificate but following these steps it worked :)

Your covered all important steps nice and clearly in a brief way! Thanks a lot, it helped me a lot :)

Thanks for the useful information.
I got similar problem and thus came into this page.
I had a self signed certificate on mail server and the client gave similar exception.... SunCertPathBuilderException: unable to find valid certification path to requested target

I struggled many ways... like import the certificate to the keystore ..still it did not worked.
At last used the below single line of code, and it solved the problem.

props.put("mail.smtp.ssl.trust", <mail server host>);

Cheers
Jay

Easy to understand, i was looking for a java program to import the certificate, is that possible ?

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Type the characters you see in this picture.
Type the characters you see in the picture; if you can't read them, submit the form and a new image will be generated. Not case sensitive.  Switch to audio verification.